31.01.2023
Sanction for the GDPR infringement
The National Supervisory Authority finalized in December 2022 two investigations at a dental office and a dentist, collaborator of the dental office, both data controllers.
Therefore, it was found that:
- the controller Dent Estet Clinic SA breached the provisions of article 33 from Regulation (EU) 2016/679 and was applied the fine in amount of Lei 4,919.2 (the equivalent of EUR 1,000) and a corrective measure;
- the controller dentist, collaborator of Dent Estet Clinic SA, breached the provisions of Article 6 paragraph (1) letter a) and of Article 9 paragraph (2) letter a) of Regulation (EU) 2016/679 in conjunction with articles 12-14 from the same act and the fine sanction in amount of Lei 4,919.2 (the equivalent of EUR 1,000) and a corrective measure were applied.
The investigations were started following a complaint submitted by a data subject through which he/she argued that the controllers Dent Estet Clinic SA and the collaborator dentist disclosed his/her health data online.
Within the investigations performed, it was found that the controllers disclosed medical information regarding the orthodontic treatment of the claimant to the Authority, consisting of a set of photographs and radiographies that could be correlated with the name of the person, by publishing an article on a blog. This information was published both for scientific and commercial purposes.
It was found that the controller Dent Estet Clinic SA, although it was informed by the claimant itself regarding the unauthorized disclosure of his/her personal data regarding the health status, did not notify the National Supervisory Authority in maximum 72 hours as of the date when it acknowledged the data breach, thus breaching Article 33 of the Regulation (EU) 2016/679.
Also the corrective measure to ensure the conformity with Regulation (EU) 2016/679 of the personal data processing operations was applied to the controller Dent Estet Clinic SA, by implementing some technical and organizational measures adequate to the specific of the data processing and risks identified, throughout the entire data processing cycle, from the point of view of the corresponding training of the operators and other persons that process data under its authority and for the observance of the processing lawfulness conditions and for the full information of the data subjects.
Also, the National Supervisory Authority found that the controller dentist collaborator processed, including by using and disclosing, the personal data on the health status of the data subject, within an article posted on the personal blog, without presenting proofs on obtaining the specific consent of the person involved and without its prior information, thus breaching the provisions of Article 6 paragraph (1) letter a) and Article 9 paragraph (2) letter a) of Regulation (EU) 2016/679, in conjunction with the provisions of Articles 12-14 from the same enactment.
Also, the corrective measure to ensure the conformity with Regulation (EU) 2016/679 of the personal data processing operations was applied to the controller dentist, in order for the processing of the personal data of the patients to be processed with the strict observance of the legal provisions on the performance of medical services and personal data protection. Also, for the use of their personal data for other purposes, it was ordered to observe all the lawfulness conditions for the processing and information of the data subjects, depending on the purposes of the processing and the categories of personal data processed, with the implementation of the necessary anonymization or pseudonymization measures, where necessary.
Legal and Communication Department
A.N.S.P.D.C.P.